29 August 2024
Pavel Durov, the founder and CEO of Telegram, was arrested in Paris on August 25, 2024 on charges related to his platform allegedly being used for illegal activities. Three days later, he was indicted and released on bail, with six charges related to illicit activity on Telegram. While people all over the world discuss Telegram’s loose moderation measures and wonder if providers of web services should be liable for the actions of their users, a certain type of Telegram users — cybercriminals using the platform — have something to say too.
In recent years, as detailed by KELA, Telegram has become popular as a platform for a wide range of cybercrimes. These include selling illegally obtained data, such as personal information, sensitive documents, and compromised accounts, and using the platform to facilitate infostealer, ransomware, hacktivist and other operations. Among reasons why Telegram is attractive to cybercriminals are anonymity and the ability to build communities, enabling cybercriminals to both hide their identities from law enforcement and have access to multiple potential sellers.
Now these cybercriminals are concerned with repercussions that Durov’s arrest can cause to their operations. While some of them discuss additional safety precautions, others go on the offensive and support Durov with cyberattacks against France. KELA has reviewed cybercriminals’ actions and discussions on the matter.
Threat Actors Supporting Durov
After Durov’s arrest, many people all over the world have expressed their dissatisfaction with the Telegram CEO’s arrest, viewing it as unjustified. In response, a campaign using the hashtags #FreeDurov” and #FreePavel was initiated and spread across the internet. Public figures who participated in the campaign included Elon Musk and Robert F. Kennedy.
Some threat actors, mainly hacktivists who are actively using Telegram, were seen discussing the arrest and supporting Durov. For example, StucxTeam, a hacktivist group known for targeting Israeli organizations, was debating whether Durov is responsible for terrorism and other illegal activities that use Telegram as their communication platform, adding the “#freedurov” hashtag at the end of the message. This message was one of many supporting statements observed using the hashtag on different hacktivist channels.
StucxTeam commenting on Durov’s arrest: Source: KELA platform
Some actors went beyond using the hashtags to launch cyberattacks on France in response to the arrest. On August 25, the pro-Russian hacktivist group People’s Cyber Army of Russia posted “#freedurov” on their channel and then announced a week-long attack on French “internet portals” in reaction to the arrest. They invited other threat groups to join them in this activity. As their first action, the group claimed to have launched a DDoS attack on the website of the French National Agency for the Safety of Medicines and Health Products (ANSM), which is associated with the French government, causing the website to be inaccessible for a period of time, as noticed by KELA.
The People’s Cyber Army of Russia statement and attacks announcement (auto-translated by KELA platform)
Another pro-Russian hacking group called UserSec initiated an attack campaign named “#FreeDurov” on their Telegram channel and urged other threat groups to unite in cyberattacks against France, citing their use of Durov’s messenger: “It will not be better for any of us if Durov is imprisoned on the charges that they want to bring against him. I invite all interested groups to join. Don’t forget that we use Durov’s messenger.”
Later, UserSec announced that, in collaboration with the People’s Cyber Army of Russia, they had carried out DDoS attacks on specific French targets. The first target was the website of the National Court of France, which was down on August 27, following the attack, and the second target was the website of the Paris tribunal. UserSec also claimed to deploy their “stealer” on French targets (possibly a stealer targeting Google Chrome that was mentioned on their channel a year ago). Other gangs, such as CyberDragon and OverFlame, have joined the campaign, while others have reposted the call.
UserSec initiating the #FreeDurov campaign on their Telegram channel (auto-translated by KELA platform)
Not only pro-Russian hacktivists have joined the efforts: the pro-Palestinian hacktivist group RipperSec conducted cyberattacks targeting various French websites, including PriceBank. RipperSec shared a message from the CGPLLNET threat group, announcing a new alliance and their plans to target France, and calling for more participants. On August 27, 2024, the group claimed responsibility for another cyberattack on France, and mentioned the groups involved in carrying out the attacks.
RipperSec is crediting other threat groups on helping to attack France
Based on this activity, it seems that hacktivists’ attacks on French organizations could be intensified in the near future, depending on how Durov’s case unfolds.
Interestingly, some cybercriminals have decided to support Telegram financially, for example, by investing in Telegram Stars, a recently introduced virtual items that allow users to purchase digital goods and services from bots and mini apps, as well as assist with channels’ monetization.
An owner of Deanon club project and Killnet Telegram channel invests in Telegram stars to support Durov (auto-translated by KELA platform)
Cybercriminals’ Concerns
For many other cybercriminals and their customers using Telegram, Durov’s arrest caused concerns about the platform’s safety and possible changes in moderation. Users of different cybercrime forums have created multiple threads mentioning the arrest, expressing mixed reactions.
Some users of cybercrime/drugs supply services are taking precautions communicating with these services, with several pausing their activities on the Telegram platform. The services suppliers are concerned about the security of their operations, particularly those who have stored sensitive information on Telegram, recognizing that this could expose them to significant risks if authorities gain access. KELA has also noticed instructions on how to prevent data loss on Telegram in case the authorities seize the servers circulating across different platforms.
A user plans to stop their regular communications with their “dealer” to lower the risk of them being caught
A user planning to delete their Telegram archives, containing stolen information from credit cards, bank accounts and more
Some threat actors are discussing alternative platforms, such as Tox, Session or Jabber for private messaging, due to their fear of being exposed if law enforcement gets access to some conversations. However, it does not seem that cybercriminals are actively leaving Telegram, with such activity merely related to setting up back up channels. For example, the actor claiming to be associated with the Lapsus$ group has set up an XMPP-protocol based channel, and shared a link on their Telegram channel for others to join.
Lapsus$-related channel announces a back-up XMPP conference channel
In general, long before Durov’s arrest, many cybercriminals avoided using Telegram for sensitive private conversations, claiming it is not safe. While some suspected Telegram of cooperation with Russian or other authorities, others pointed out the lack of end-to-end encryption on most of the chats (except so-called Secret chats). Therefore, the most cautious actors appear to have quit Telegram for a while now: for example, most of active RaaS operations now list only TOX, Jabber and Session as their contact methods.
A user discussing dangers of using Telegram
What’s Next
The recent attacks and discussions indicate that cybercrime users are concerned about Pavel Durov’s arrest, with some being concerned that his arrest may affect their primary communication platform. The arrest is likely to have a dual impact on cybercriminal activities on Telegram.
On one hand, it may lead to some actors taking precautions or considering alternative communication platforms, probably till the arrest’s full consequences will be clear. However, unlikely those who currently rely on Telegram will conduct a massive exodus, as many use it to form communities, advertise their product to multiple potential buyers and automate their operations, highly depending on Telegram’s channels, groups and bots. Currently, alternative platforms discussed by cybercriminals do not provide such functionality.
On the other hand, the arrest has inflamed certain hacktivist groups, leading to an increase in retaliatory cyberattacks, particularly against French organizations. The situation could evolve depending on the outcomes of ongoing legal actions.